Information recording device

ABSTRACT

The data storage portion stores an encrypted medium device key Enc (Kcu, Kmd_i) generated by encrypting a medium device key (Kmd_i), a medium device key certificate (Certmedia), and encrypted content data generated by encrypting content data, the controller stores a controller key (Kc) and first controller identification information (IDcu), the information recording device being configured to execute, after being connected to an external host device, an one-way function calculation based on the controller key (Kc) and the first controller identification information (IDcu) to generate a controller unique key (Kcu) used when decrypting the encrypted medium device key Enc (Kcu, Kmd_i), and second controller identification information (IDcntr) used when decrypting the encrypted content data.

FIELD

Embodiments described herein relates to an information recording device.

BACKGROUND

In recent years, with the development of information-oriented society,content data distribution systems are widely used. The content datadistribution systems deliver digitalized content data such as books,newspapers, music or moving pictures, and enable content data stored ina user terminal or in a storage medium through a user terminal to beviewed/listened in a user terminal or in a PC (personal computer)environment.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating a structure of a memory card 1000used in an information recording system according to the firstembodiment.

FIG. 2 is an equivalent circuit diagram illustrating a structure of thememory 100 (NAND type flash memory) of FIG. 1.

FIG. 3 is a schematic diagram describing a method of writing ofencrypted medium device key and the medium device key certificate to thememory card 1000 in the first embodiment.

FIG. 4 is a block diagram illustrating a structure and operation of thememory card 1000 and a host device 2000 included in the informationrecording system according to the first embodiment.

FIG. 5 is a block diagram illustrating a structure and operation of thememory card 1000 and a host device 2000 included in the informationrecording system according to the first embodiment.

FIG. 6 is a block diagram illustrating a structure and operation of thememory card 1000 and a host device 2000 included in the informationrecording system according to the second embodiment.

FIG. 7 is a flow chart illustrating an operation of the informationrecording system according to the second embodiment.

DETAILED DESCRIPTION

An information recording device according to an embodiment includes adata storage unit and a controller. The data storage unit is capable ofstoring an encrypted medium device key Enc (Kcu, Kmd_i) generated byencrypting a medium device key (Kmd_i) functioning as a secret key of apublic key cryptosystem using a controller unique key (Kcu), and amedium device key certificate (Certmedia) functioning as a public key ofthe public key cryptosystem. The controller further includes: aninformation recording unit configured to store a controller key (Kc) andfirst controller identification information (IDcu) unique to thecontroller; a key generation unit configured to execute a one-wayfunction calculation based on the controller key (Kc) and the firstcontroller identification information (IDcu) to generate a controllerunique key (Kcu) unique to the controller; an identification informationgenerating unit configured to execute a one-way function calculationbased on on the controller key (Kc) and the first controlleridentification information (IDcu) to generate second controlleridentification information (IDcntr); a key encryption unit configured toencrypt the medium device key (Kmd_i) by the controller unique key (Kcu)to generate encrypted medium device key Enc (Kcu, Kmd_i); and a keyexchange unit configured to execute an authentication key exchangeprocess with a host device using the medium device key (Kmd_i) and themedium device key certificate (Certmedia).

A data recording device according to an embodiment includes: a memoryunit configured to store various types of data; a controller configuredto control the memory unit; and an interface unit configured to performdata communication with a host device through a secure channel. Thecontroller holds a controller key and a first controller identificationinformation unique to the controller.

The controller further includes: a controller unique key generating unitconfigured to generate a controller unique key unique to a respectivecontroller based on the controller key and the first controlleridentification information; a controller identification informationgenerating unit configured to generate second controller identificationinformation based on the first controller identification information; adecryptor; and an authentication/key exchange process unit configured toperform an authentication/key exchange process with the host device.

The memory unit further includes at least a normal recording areaaccessible freely from outside, a system information recording area, anda secret recording area. The secret recording area is accessible on thecondition that a certain authentication process is completed. The systeminformation recording area stores an encrypted medium device key and amedium device key certificate. The encrypted medium device key is amedium device key encrypted by the controller unique key. The mediumdevice key functions as a private key of a public key cryptosystem. Themedium device key certificate functions as a public key of the publickey cryptosystem.

A decryptor is configured to decrypt to decrypt the encrypted mediumdevice key using the controller unique key to obtain a medium devicekey. In addition, the authentication/key exchange process unit isconfigured to perform authentication/key exchange process with the hostdevice through the interface unit using the medium device key and themedium device key certificate to establish the secure channel.

A host device according to an embodiment described below is enabled tobe connected to a data recording device. The data recording deviceincludes a memory unit configured to store various types of data, and acontroller provided with a controller key and a first controlleridentification information to control the memory unit, and configured toperform a certain authentication/key exchange process with the datarecording device to supply data thereto.

The host device includes a holding unit for holding a host device keyfunctioning as private key of public key cryptosystem and a host devicecertificate functioning as a public key of public key cryptosystem. Thehost device also includes an authentication/key exchange process unitconfigured to perform an authentication/key exchange process with thedata recording device using the host device key and the host devicecertificate to receive medium device key certificate ID held in the datarecording device and contained in the medium device key certificatefunctioning as a public key of the public key cryptosystem. The hostdevice also includes an interface unit configured to perform datacommunication with the data recording device through a secure channel,and an identification information generating unit configured to receivethe second controller identification information generated in the datarecording device based on the first controller identificationinformation by data communication through the secure channel and theinterface unit, to generate data recording device identificationinformation based on the second controller identification informationand the medium device key certificate ID.

Embodiments of the present invention will be described with reference todrawings. Electronic content data (hereinafter referred to simply as“content”) is easily duplicable so that unauthorized activitiesdisregarding the copyright regarding the content may easily occur. Froma point of view of protecting the content from such unauthorizedactivities, the content is usually encrypted and decrypted before beingplayed back in a genuine device.

An encryption with double keys scheme has been proposed in which thecontent key for encrypting the content is doubly encrypted with twokeys. Among the two encryption keys, a key unique to the storage medium(for example, a medium unique key) is securely recorded in a hidden areain a storage medium which cannot be accessed from outside of the storagemedium. Accordingly, even if only encrypted content key data were copiedfalsely, for example, the content cannot be used (decrypted) withoutnecessary medium unique key for decoding the encrypted content key data.

However, when such a medium unique key is read out falsely by a certainway, and is handed down to a manufacturer of fake storage medium (memorycards), it results in a diffusion of clone cards which are copies ofauthorized storage medium (memory cards). This means that content datais utilized falsely.

First Embodiment

FIG. 1 shows a structure of a memory card 1000 (a nonvolatile memorysystem) used for the information recording system according to the firstembodiment. This memory card 1000 is enabled to encrypt content data andstore it. Note that the nonvolatile memory system does not necessarilyhave the shape of the memory card. The memory card 1000 may beimplemented such that it is impossible to be attached or detached from ahost device 2000.

Also, this memory card 1000 is configured to be connected to a hostdevice 2000 (not illustrated in FIG. 1) and is enabled to perform acertain authentication/key exchange process with the host device 2000.When authentication/key exchange processing is completed, data write orread from the host device 2000 to a system information recording areaand a secret recording area of the memory card 1000 becomes possible.Also, reading of data that is necessary for decryption of the encryptedcontent data stored in the memory card 1000 is made possible by the hostdevice 2000 or a playback device connected to the host device 2000. Thisenables the playback of the content data.

In addition, the memory card 1000 according to the embodiment isconfigured to store a medium device key Kmd_i as a private key of apublic key cryptosystem, and a medium device key certificateCert_(media) including a public key of the public key cryptosystem, forperforming a authentication/key exchange process with the host device2000. This will be described in detail later.

This memory card 1000 is composed of a NAND type flash memory 100(hereinafter referred to as a memory 100), and a controller 200 forcontrolling a reading operation/write operation in the memory 100.Although a case is explained where the NAND type flash memory is adoptedas an example of the memory 100 hereinbelow, other memory units (amagnetic disk drive apparatus, resistance change memory, ferroelectricmemory, magnetic resistance memory, phase change memory) that may storedata in a non-volatile manner may be adopted as a memory 100.

The controller 200 comprises a NAND flash interface 201 for performingdata transfer with the memory 100, a host interface 202 for performingdata transfer with an external device such as the host device 2000, abuffer RAM 203 for temporarily storing read data and write data, an MPU204 for controlling data transfer, a hardware sequencer 205 used forsequential control of reading/writing of firmware (FW) in the NAND typeflash memory 21 or the like, a decryptor 206, a encoder 207, and a fusecircuit 208.

The NAND flash interface 201 includes an error correction circuit (ECC).When data is written in the NAND flash memory, the NAND flash interface201 calculates an error correcting code using the error correctioncircuit, and writes the data and the error correcting code in the NANDflash memory 21.

Also, when data is read from the NAND flash memory, the NAND flashinterface 201 calculates a syndrome from the data and the errorcorrecting code, thereby correcting the error of the data within acertain error-correcting capacity.

The firmware (FW) necessary for the controller 200 is automatically readfrom the memory 100 in an initialization operation (a power-on initialsetup operation) performed automatically after power-on, and istransferred to the data register (buffer RAM) 203. This reading controlis carried out by the hardware sequencer 205. Note that the firmware maybe stored in a ROM in the controller 200. The firmware in thisembodiment includes a one-way converter 211, an ID generator 212, anauthentication/key exchange process unit 213, and the like, as describedbelow.

The fuse circuit 208 stores a controller key Kc and a controller uniqueID (IDcu) for identifying the controller 20. The controller key Kc andthe controller unique ID (IDcu) are used to generate a controller uniquekey Kcu, as described below. When the above-mentioned medium device keyKmd_i is stored in a system information recording area 103 of the memorycard 1000, the medium device key Kmd_i is encrypted using the controllerunique key Kcu. The controller unique key Kcu is generated using thecontroller key Kc and the controller unique ID (IDcu) as input valuesinto the one-way converter 211. That is, the one-way converter 211 isone example of the controller unique key generating unit for generatinga controller unique key.

Also, the ID generator 212 (a controller identification informationgenerating unit) generates a public control unique ID (IDcntr) to betransmitted to external, using the controller key Kc and the controllerunique ID (IDcu) as input values thereto.

The authentication/key exchange process unit 213 performs anauthentication/key exchange process with the host device 2000 based onthe medium device key Kmd_i and the medium device key certificateCert_(media).

As shown in FIG. 2, the memory 100 is configured by arranging NAND cellunits NU (an NAND string) NU in each of which a plurality ofelectrically-rewritable nonvolatile memory cells (in the example of thefigure, 32 memory cells) M0-M31 are serially connected.

One end of the NAND cell unit NU is connected to a bit line BLo or BLethrough a selection gate transistor S1, while the other end thereof isconnected to a common source line CELSRC through a selection gatetransistor S2. The control gates of the memory cells M0-M31 areconnected to word lines WL0-WL31, respectively, and gates of theselection gate transistor S1 and S2 are connected to selection gatelines SGD and SGS.

A group of the NAND cell units arranged in a word-line directioncomprises a block as the smallest unit for data erasure. As shown, aplurality of blocks BLK0-BLKn-1 are arranged in a bit-line direction. Apart of blocks among the plural blocks is set as a normal recording area101 that is freely accessible without a special authentication process,while another part thereof is set as a secret recording area 102 thatbecomes accessible after a predetermined authentication/key exchangeprocess. Further, another part thereof is set as a system informationrecording area 103 for recording information determined in advance atthe time of memory-card production.

The normal recording area 101, the secret recording area 102, and thesystem information recording area 103 are assigned with logic addresses,respectively.

Designation of the logic address of the secret recording area 102 ispermitted only when an authentication/key exchange process describedbelow is completed.

Note that the normal recording area 101 may store 2 bits or more of datain one memory cell. On the other hand, the secret recording area 102 andthe system information recording area 103 may store only 1-bit data inone memory cell in view of securing data-reliability.

Also, in the normal recording area 101, correspondency between a logicaddress and a physical address is dynamically changed depending on dataupdate, while in the secret recording area 102 and system informationrecording area 103, it is possible to control the correspondency betweenthe logic address and the physical address such that it is staticallyfixed, in view of security of data reliability.

A sense amplifier circuit 3 used for reading and writing of cell data islocated at one end of the bit line BLe or BLo. Also, a row decoder 2 forselectively driving the word lines and the selection gate lines islocated at one end of the word line. FIG. 2 shows a case whereeven-number bit lines BLe and odd-number bit lines BLo adjacent to eachother are selectively connected to respective sense amplifiers SA of thesense amplifier circuit 3 by a bit line selection circuit.

Referring now to FIG. 3, a method of manufacturing the memory card 1000,and a method of writing the medium device key Kmd_i and the mediumdevice key certificate Cert_(media) will be described. The medium devicekey Kmd_i and the medium device key certificate Cert_(media) to bewritten in the memory card 1000 are provided from a key issue/managementcenter 3000 to a memory card manufacturer C, and are written into thesystem information recording area 103 of the memory 100 included in thememory card 1000 through the controller 200. Although omitted in FIG. 1,the memory card 1000 is connected to an apparatus (a PC, a mobile-phoneterminal, or a publicly-used terminal) having a certain communicationfunction. Through an apparatus having such a communication function,data issued from the key issue/management center 3000 are written to thememory card 1000.

As described earlier, the medium device key Kmd_i is a private key ofthe public key cryptosystem, while the medium device key certificateCert_(media) is data including a public key corresponding to the mediumdevice key Kmd_i as a private key. In the medium device key certificateCert_(media), a medium device key certificate ID (IDm_cert) is containedas identification information unique to the certificate.

In the production of memory card 1000, the controller 200 is providedfrom a controller manufacturer A, and the memory 100 is provided from amemory manufacturer B to a memory card manufacturer C. Note that two orall of the manufacturers A, B, and C may be the same company. The memorycard manufacturer C writes information that is necessary for the memory100, in order that the memory card 1000 is in an operable state.

The controller manufacturer A writes the controller key Kc and thecontroller unique ID (IDcu) in the controller 200 as secret informationwhen the controller 200 is produced. The controller key Kc may be set asa common key among a plurality of the controllers 200 for the reasonrelating to the manufacturing process. On the other hand, differentcontrollers 200 have different controller unique ID. That is, acontroller unique key generated in one controller 200 is alwaysdifferent from a controller unique key generated in another controller200.

The controller manufacturer A discloses data of the control key Kc givento the controller 200, to the key issue/management center 3000. Notethat the controller key Kc may be transmitted from the controllermanufacturer A to the key issue/management center 3000 using PGPencryption scheme or the like. The controller key Kc is secretinformation prepared for steadily writing the medium device key Kmd_iissued by the key issuance/management center 3000 to a controllermanufactured by the controller manufacturer A. In some cases, it ispossible to take a procedure in which the controller key Kc is generatedin the key issuance/management center 3000, and then disclosed to thecontroller manufacturer A.

The key issue/management center 3000 comprises a managing key unit 3002for generating a medium device key Kmd_i and medium device keycertificate Cert_(media), a device key database 3001 for managing thegenerated medium device key Kmd_i and the medium device key certificateCert_(media), and encryption unit 3003 encrypting the medium device keyKmd_i using the controller key Kc received from the controllermanufacturer A.

The control key Kc is used for encrypting the medium device key Kmd_i inthe key issue/management center 3000. The medium device key Kmd_i isgenerated in the key generator 3002, and then stored in the device keydatabase 3001. The encryption unit 3003 is supplied with thecorresponding medium device key Kmd_i from the device key database 3001,and encrypts it using the controller key Kc to generate encrypted mediumdevice key Enc (Kc, Kmd_i).

The controller key Kc is information that only the controllermanufacturer A and the key issue/management center 3000 may acquire.However, to reduce a damage when information on the controller key Kc isleaked to external by accident or by a certain reason, it is desirablethat different controller keys Kc(s) are used among different groupsincluding a certain number of the controllers, for example in a unit ofproduction lot.

Note that, in the key generator 3002 and the device key database 3001,not only the medium device key Kmd_i and the medium device keycertificate Cert_(media) for the memory card 1000 are generated andmaintained, but also a host device key Khd_i or a host devicecertificate Cert_(host) for the host device 2000 described later aregenerated and maintained in a similar way.

The memory card manufacturer C is supplied with the controller 200 fromthe controller manufacturer A, and receives from the keyissue/management center 3000 a medium device key encrypted for thecontroller 200(encrypted medium device key Enc (Kc, Kmd_i)), and amedium device key certificate Cert_(media) corresponding to the mediumdevice key. In order to receive a desired encrypted medium device keyEnc (Kc, Kmd_i), a model number of the controller 200 or a productionlot number thereof may be provided. This allows the medium device keyencrypted by a precise controller key Kc to be received.

The encrypted medium device key Enc (Kc, Kmd_i) is temporarily writtenin the buffer RAM 203 of the controller 200. Then, the controller 200decodes the encrypted medium device key Enc (Kc, Kmd_i) using thecontroller key Kc which it owns in the decryptor 206. The medium devicekey Kmd_i is thereby provided in the controller 200.

On the other hand, the one-way converter 211 operates a one-way functionusing the controller key Kc and the controller unique ID (IDcu) held inthe controller 200 as input values thereto to generate a controllerunique key Kcu. The medium device key Kmd_i is encrypted in theencryptor 207 again using this newly generated controller unique keyKcu, thereby generating an encrypted medium device key Enc (Kcu, Kmd_i).This encrypted medium device key Enc (Kcu,

Kmd_i) is stored in the system information recording area 103 of thememory 100 supplied by the memory manufacturer B. In this case, themedium device key certificate Cert_(media) corresponding to theencrypted medium device key Enc (Kcu, Kmd_i) written in the systeminformation recording area 103 is stored in the system informationrecording area 103 similarly.

The controller unique key (Kcu) is generated using the controller key Kcsecretly stored in the controller 200 and the controller unique ID(IDcu). Accordingly, a risk of information necessary for decrypting theencrypted medium device key Enc (Kcu, Kmd_i) being leaked to external issmall. It is extremely difficult to falsely perform re-encryption of themedium device key Kmd_i (after decryption by the original controllerunique key Kcu1, encrypting it with another controller unique key Kcu2)in order that the encrypted medium device key Enc (Kcu, Kmd_i) oncewritten in the memory 100 is made available in a separate controller200.

In the first embodiment, a one-way function is used for generating thecontroller unique key Kcu from the controller key Kc and the controllerunique ID (IDcu). However, it is possible to employ a function that cangenerate one piece of output data from two or more pieces of input data.The function is not limited to a one-way function.

Next, referring now to FIG. 4, the entire structure and the operation ofthe information recording system according to the first embodiment willbe described.

As noted above, the memory card 1000 is provided with the encryptedmedium device key Enc (Kcu, Kmd_i) and the medium device key certificateCert_(media). Such the memory card 1000 is connected to the host device2000. This allows the memory card 1000 to be written with the contentdata C provided from the host device 2000, or to output the fetchedcontent data C to the host device 2000 as shown in FIG. 4. The memorycard 1000 and the host device 2000 together form an informationrecording system.

Here, a structure of the host device 2000 will be described. The hostdevice 2000 comprises a holding unit 401, an authentication/key exchangeprocess unit 402, an ID combining unit 403, a one-way converter 404, arandom number generator 405, an encryptor/decryptor 406, and anencryptor/decryptor 407.

The holding unit 401 stores above-described host device key Khd_j and ahost device certificate Cert_(host). The host device key Khd_j is aprivate key of the public key cryptosystem, and the host devicecertificate Cert_(host) is data including a public key that forms a pairwith the host device key Khd_j. The authentication/key exchange processunit 402 has a function of performing an authentication/key exchangeprocess with the authentication/key exchange process unit 213 of thememory card 1000, through an interface unit 500, 202 and a securechannel to output a medium device key certificate ID (IDm_cert). Inaddition, the ID combining unit 403 is configured to generate a memorycard unique ID (IDmc) based on the public controller unique ID (IDcntr)and the medium device key certificate ID (IDm_cert). This ID combiningunit 403 functions as an identification information generating unit forgenerating a memory card unique ID (IDmc) based on the controller uniqueID (IDcntr) and the medium device key certificate ID (IDm_cert). This IDcombining unit 403 merely couples two IDs to generate another new ID. Inplace of such a simple combination, it is possible to generate a new IDusing a one-way function or a cryptographic algorithm, for example.

The one-way converter 404 generates medium unique key Kmu using aone-way function, to which the memory card unique ID (IDmc) and a mediumkey Km generated at the random number generator 405 are input. Therandom number generator 405 generates a random number, and generates themedium key Km and a title key Kt based on the acquired random number.The encryptor/decryptor 406 encrypts the title key Kt by theabove-mentioned medium unique key Kmu. In addition, theencryptor/decryptor 407 encrypts the content data C by the title key Kt(to obtain encrypted content data Enc (Kt, C)).

Note that, in the present embodiment, the medium unique key Kmu isgenerated by the the host device 2000, and the medium unique key Kmu isused as an encryption key for encrypting the title key Kt. Similarly tothe conventional content data protection technology, it is also possibleto employ a scheme in which a medium unique key Kmu stored in the secretrecording area 102 is directly used for encrypting the content data C.

Also, a double encryption key scheme is also available in which a userkey Ku unique to a user is encrypted by a medium unique key Kmu, acontent key Kct is encrypted by the user key Ku, and further contentdata is encrypted by the content key Kct. In addition, not only themedium key Km and the title key Kt may be generated in a host device,they may be written in the memory card in advance, or may be providedfrom an external device (not shown).

Next, an operation when content data C is written to the memory card1000 from the host device 2000 will be described with reference to FIG.4. First, the memory card 1000 generates the controller unique key Kcufrom the controller key Kc and the controller unique ID (IDcu) using theone-way converter 211. Then, the encrypted medium device key Enc (Kcu,Kmd_i) is decoded using this controller unique key Kcu, thereby themedium device key Kmd_i being obtained. The medium device key Kmd_i andthe medium device key certificate Cert_(media) are transferred to theauthentication/key exchange process unit 213.

On the other hand, the host device 2000 transfers the host device keyKhd_j and the host device certificate Cert_(host) to theauthentication/key exchange process unit 402. The authentication/keyexchange process is thereby performed in the authentication/key exchangeprocess unit 213 and 402. When the process is completed, a securechannel is established between the memory card 1000 and the host device2000. When secure channel is established, the ID generator 212 mayoutput a public controller unique ID (IDcntr) which was generated byitself through an interface unit and through a secure channel.

When a secure channel is established, the ID generator 403 couples thepublic controller unique ID (IDcntr) and the medium device keycertificate ID (IDm_cert) to generate the memory card unique ID (IDmc).

The host device 2000 generates the medium key (Km) using the randomnumber generator 405, and stores the generated medium key Km in thesecret recording area 102 of the memory card 1000 via the secure channeland the interface units 500 and 202.

The host device 2000 generates the medium unique key Kmu from the mediumkey Km and the memory card unique ID (IDmc) using the one-way converter404.

The host device 2000 generates the title key Kt using the random numbergenerator 405, and the title key Kt is further encrypted by the mediumunique key Kmu using the encryptor/decryptor 406. The encrypted titlekey Kte=Enc (Kmu, Kt) is stored in the normal recording area 101 of thememory card 100.

The host device 2000 encrypts the content data C using the title key Kt,and the encrypted content data Ce=Enc (Kt, C) is stored in the normalrecording area 101 of the memory card 1000. With the above-describedprocesses, a record operation of the content data C is completed.

Next, an operation when the content data C is read from the memory card1000 to the host device 2000 will be described with reference to FIG. 5.The authentication/key exchange process in the authentication/keyexchange process units 213 and 402, and the operation in the IDcombining unit 403 are generally the same as in the write operation(FIG. 4).

When the authentication/key exchange process is completed, and thereby asecure channel is established, an access to the secret recording area102 and the system information recording area 103 is enabled (that is,designation of a logic address of the secret recording area 102 and thesystem information recording area 103 becomes possible). In addition,the medium key Km stored in the secret recording area 102 of the memorycard 1000 is provided to the one-way converter 404 of the host device2000 through the secure channel. The one-way converter 404 generates themedium unique key Kmu using this medium key Km and the above-mentionedmemory card unique ID (IDmc). The encryptor/decryptor 407 decodes theencrypted title key Enc (Kmu, Kt) stored in the memory card 100 usingthis medium unique key Kmu, thereby the title key Kt being obtained.Then, the encrypted content data Enc (Kt, C) stored in the memory card100 is decoded using the provided title key Kt, thereby the content dataC being obtained.

As explained above, in this embodiment, the medium device key Kmd_i andthe medium device key certificate Cert_(media) in accordance with thepublic key cryptosystem are used for the authentication/key exchangeprocess. However, the controller unique ID (IDcntr) is generated basedon the controller key Kc of the controller 200 and the controller uniqueID (IDcu), and is supplied to the host device 2000 through a securechannel. Because it is transmitted through the secure channel, thecontroller unique ID (IDcntr) does not leak out outside, and thefalsification is prevented. Also, based on this controller unique ID(IDcntr) and the medium device key certificate ID (IDm_cert), the memorycard unique ID (IDmc) is generated by the ID combining unit 403. Basedon this memory card unique ID (IDmc), the medium unique key Kmu of thememory 100 in the memory card 1000 is generated.

Thus, according to the present embodiment, even when anauthentication/key exchange using the public key cryptosystem isprocessed, the controller unique ID (IDcntr) unique to the controller200 can be interrelated with a pair of a public key and a private key,thereby spread of clone cards can be prevented.

Second Embodiment

FIG. 6 is a block diagram showing the structure of the informationrecord system according to the second embodiment. Since the hardwarestructure thereof maybe similar to those shown in FIG. 1 and FIG. 2, theexplanation thereof is omitted hereinbelow. In this embodiment, as shownin FIG. 6, the operation of the authentication/key exchange process unit213 is different. That is, the ID generator unit 212 in this embodimentdoes not directly transmit the controller unique ID (IDcntr) generatedin the ID generator 212 to the host device 2000, but transmits it to theauthentication/key exchange process unit 213 in the controller 200.Then, the controller unique ID (IDcntr) is used as one of the parametersof the authentication/key exchange process.

When the authentication/key exchange process is completed, thecontroller unique ID (IDcntr) is transmitted to the ID combining unit403 with the medium device key certificate ID (IDm_cert). The operationthereafter is generally the same as the first embodiment.

FIG. 7 describes procedures of an operation when a standardauthentication/key exchange based on elliptic curve cryptography isused.

The host device generates a random number RNh (step S1), and transfersit to the memory card 1000 with the host device certificate Cert_(host)(step S2). The memory card 1000 verifies a digital signature containedin the received host device certificate Cert_(host), and generates arandom number RNm (step S3).

Subsequently, the memory card 1000 sends the random number RNm and themedium device key certificate (Cert_(media)) to the host device (stepS4). In response to this, the host device 2000 verifies a digitalsignature contained in the received medium device key certificateCert_(media). In time with step S4, the memory card 1000 generates arandom number Mk necessary for Diffie-Hellman key exchange process inthe elliptic curve cryptography. It also calculates a value forchallenge Mv (=Mk*G) using a base point G of the elliptic curve. IDcntris generated in the ID generator 212. In addition, using the mediumdevice key Kmd_i, a digital signature for the value for challenge Mv,the random number RNh received in step S2 and the controller unique ID(IDcntr) is generated (step S6). The memory card 1000 sends the valuefor challenge My generated in step S6, the controller unique ID (IDcntr)and the digital signature generated in step S6 to the host device 2000(step S7).

The host device 2000 verifies the signature received in step S7,generates a random number Hk necessary for Diffie-Hellman key exchangeprocess in the elliptic curve cryptography, and calculates a value forchallenge Hv (=Hk*G) using a base point G of the elliptic curve. Then,it generates a digital signature for the value for challenge Hv and therandom number RNm received in step S4, using the host device key Khd_j,and calculates a shared key Ks (=Hk*Mv) shared by the authentication/keyexchange process (step S8).

The host device 2000 sends the value for challenge Hv generated in stepS8 and the digital signature to the memory card 1000 (step S9). Inresponse to this, the memory card 1000 verifies the digital signaturereceived in step S9, and calculates the shared Key Ks (=Mk*Hv).

When the signature cannot be inspected properly in the digital signatureverification process in the above-described processes, the processesthereafter are aborted in any of the steps.

By performing the above-mentioned authentication/key exchange process,the memory card can share a shared key with the host device secretly. Inthe authentication/key exchange process, the shared Key is calculatedusing challenges generated by the host device and the memory card.Accordingly, the values of the shared key are different among differentauthentication/key exchange processes.

While certain embodiments of the inventions have been described, theseembodiments have been presented by way of example only, and are notintended to limit the scope of the inventions. Indeed, the novel methodsand systems described herein may be embodied in a variety of otherforms; furthermore, various omissions, substitutions and changes in theform of the methods and systems described herein may be made withoutdeparting from the spirit of the inventions. The accompanying claims andtheir equivalents are intended to cover such forms or modifications aswould fail within the scope and spirit of the inventions.

For example, in the above-described embodiments, the controller uniqueID (IDcntr) is generated based on a pair of the controller key Kc andthe controller unique ID (IDcu) in the ID generator 212. However, inplace of this, the controller unique ID (IDcntr) may be generated onlybased on the controller unique ID (IDcu). If another unique informationthat can be disclosed outside may be generated while the controllerunique ID (IDcu) secretly stored in the controller 200 is kept in asecret state, a parameter used herein has no requirement. However, thefunction used for generation is an irreversible one such as a one-wayfunction. That is it is necessary to select a function that prevent areverse calculation based on the provided control unique ID (IDcntr) toobtain the original control unique ID (IDcu).

The above-described embodiments may be expressed as follows.

-   (1). A data recording device, comprising:

a memory unit configured to store various types of data;

a controller provided with a controller key and a first controlleridentification information unique to the controller, and configured tocontrol the memory unit; and

an interface unit configured to perform data communication with a hostdevice through a secure channel,

the controller further comprising:

a controller unique key generating unit configured to generate acontroller unique key unique to a respective controller based on thecontroller key and the first controller identification information;

a controller identification information generating unit configured togenerate second controller identification information based on the firstcontroller identification information;

a decryptor; and

an authentication/key exchange process unit configured to perform anauthentication/key exchange process with the host device,

the memory unit further comprising:

a normal recording area accessible freely from outside;

a system information recording area storing an encrypted medium devicekey and a medium device key certificate, the encrypted medium device keybeing a medium device key encrypted by the controller unique key, themedium device key functioning as a private key of a public keycryptosystem, the medium device key certificate functioning as a publickey of the public key cryptosystem; and

a secret recording area accessible on the condition that a certainauthentication process is completed,

the decryptor being configured to decode the encrypted medium device keyusing the controller unique key to obtain the medium device key,

the authentication/key exchange process unit being configured to performauthentication key exchange process with the host device through theinterface unit using the medium device key and the medium device keycertificate to establish the secure channel.

-   (2). The data recording device of (1), wherein

the controller identification information generating unit generates thesecond controller identification information based on the controller keyand the first controller identification information.

-   (3). The data recording device of (1), wherein

the controller identification information generating unit transmits thesecond controller identification information through the interface unit,after the secure channel is established.

-   (4). The data recording device of (3), wherein controller    identification information generating unit generates the second    controller identification information based on the controller key    and the first controller identification information.-   (5). The data recording device of (3), wherein

when the secure channel is established, the controller permits access tothe system information recording area.

-   (6). The data recording device of (5), wherein

the controller identification information generating unit generates thesecond controller identification information based on the controller keyand the first controller identification information.

-   (7). The data recording device of (1), wherein

the controller identification information generating unit comprises aone-way converter.

-   (8). A host device enabled to be connected to a data recording    device, the data recording device comprising a memory unit    configured to store various types of data, and a controller provided    with a controller key and a first controller identification    information to control the memory unit, and configured to perform a    certain authentication process with the data recording device to    supply data thereto,

the host device comprising:

a holding unit for holding a host device key functioning as private keyof public key cryptosystem and a host device certificate functioning asa public key of public key cryptosystem;

an authentication/key exchange process unit configured to perform anauthentication/key exchange process with the data recording device usingthe host device key and the host device certificate to receive mediumdevice key certificate ID held in the data recording device andcontained in the medium device key certificate functioning as a publickey of the public key cryptosystem;

an interface unit configured to perform data communication with the datarecording device through a secure channel; and

an identification information generating unit configured to receivesecond controller identification information generated in the datarecording device based on the first controller identificationinformation by data communication through the secure channel and theinterface unit, to generate data recording device identificationinformation based on the second controller identification informationand the medium device key certificate ID.

-   (9). The host device of (8), further comprising a key generating    unit configured to generate key information used to encrypt content    data or key data for encrypting the content data based on the data    recording device identification information.-   (10). The host device of (8), wherein the second controller    identification information is generated based on the controller key    and the first controller identification information.-   (11). The host device of (10), wherein

the second controller identification information is received through theinterface unit after the secure channel is established.

-   (12). The host device of (11), wherein

the second controller identification information is generated based onthe controller key and the first controller identification information.

-   (13). The host device of (12), wherein

the second controller identification information is transmitted throughthe interface unit after the secure channel is established.

-   (14). The host device of (13),

wherein the second controller identification information is generatedbased on the controller key and the first controller identificationinformation.

-   (15). A method of performing an authentication process between a    data recording device and a host device,

wherein the data recording device comprises a memory unit and acontroller configured to control the memory unit, and is provided with acontroller key and a first controller identification information,

a medium device key functioning as a private key of public keycryptosystem and a medium device key certificate functioning as a publickey of the public key cryptosystem are held in a system informationrecording area in the memory unit,

the medium device key is encrypted by a controller unique key generatedbased on the controller key and the first controller identificationinformation, and is stored in the system information recording area asencrypted medium device key,

the host device holds a host device key functioning as a private key ofthe public key cryptosystem and a host device certificate functioning asa public key of the public key cryptosystem,

the method comprising:

generating second controller identification information based on thefirst controller identification information;

performing an authentication/key exchange process using the encryptedmedium device key, the medium device key certificate, the host devicekey and the host device certificate to obtain medium device keycertificate ID contained in the medium device key certificate;

generating data recording device identification information based on thesecond controller identification information and the medium device keycertificate ID; and

generating a medium unique key based on the data recording deviceidentification information.

-   (16). The method of processing a data recording device of (15),    wherein

the second controller identification information is generated based onthe controller key and the first controller identification information.

-   (17). The method of processing a data recording device of (16),    wherein

the second controller identification information is transmitted throughthe interface unit after the secure channel is established.

-   (18). The method of processing a data recording device of (17),    wherein

the second controller identification information is generated based onthe controller key and the first controller identification information.

-   (19). The method of processing a data recording device of (15),    wherein

the second controller identification information is transmitted throughinterface unit after the secure channel is established.

-   (20). The method of processing a data recording device of (19),    wherein

the second controller identification information is generated based onthe controller key and the first controller identification information.

What is claimed is:
 1. An information recording device, comprising adata storage portion and a controller, the data storage portion storesan encrypted medium device key Enc (Kcu, Kmd_i) generated by encryptinga medium device key (Kmd_i), a medium device key certificate(Certmedia), and encrypted content data generated by encrypting contentdata, the controller stores a controller key (Kc) and first controlleridentification information (IDcu), the information recording devicebeing configured to execute, after being connected to an external hostdevice, an one-way function calculation based on the controller key (Kc)and the first controller identification information (IDcu) to generate acontroller unique key (Kcu) used when decrypting the encrypted mediumdevice key Enc (Kcu, Kmd_i), and second controller identificationinformation (IDcntr) used when decrypting the encrypted content data.